ID. Date of interview 
date 42/92/20 


ID. — Time interview started 
start 44:33:11 


ID.end Completion date of interview 
Date 42/02/20 


ID.end Time interview ended 
15:10:10 


ID. Duration of interview 
time 36.98 
new CaSe 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
O) Yes 

©) No 

© Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


1. Art 15(4) provides that the right to obtain a copy of the personal data undergoing processing shall not 
adversely affect the rights and freedoms of others. Recital 63 explains, in the context of remote access, 
that the rights and freedoms of others can include trade secrets, intellectual property and copyright. 
Some explanation and guidance would be helpful; 2. In the section 'do we need to explain the information 
provided' (p.32) - but possibly also elsewhere - some guidance on providing 'meaninful information about 
the logic involved [in automated decision-making, including profiling] as we as the significance and 
envisaged consequences of such processing' (Art 15(1)(h)) would also be welcome. 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 

©) No 

© Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


The trade off between clarity, certainty and detail is difficult. For non-specialists the guidance is probably 
the right level of detail. But the level of detail is such that the contents of the guidance would be well- 
known for most data protection professionals. It would be useful if the ICO were able to stress test the 
guidance with data protection professionals to find out where it breaks down and in particular to expose 
those areas where the Board, the ICO or wider jurisprudence does not yet have a clear, operationalisable 
view. It is these grey areas that are likely to be of most concern to professionals and where, whilst not 
looking for an answer it is not possible to give, they might welcome recognition of the uncertainty and of 
the criteria and processes (including documentation of their own thinking) that could be followed. For 
example, in considering the question of what information to supply (p.29) there is clearly a distinction that 
could be drawn between personal data, relevant context and irrelevant context. Where to draw this line is 
not clear. Examples might help but guidance could include some discussion of the dilemma. Many other 
areas of uncertainty will arise in particular areas. To choose only one, lawyers may well consider that the 
concept of the duty of confidentiality owed by a professional legal adviser to his client could be 
elaborated. What is meant by the duty of confidentiality (is it a standard defined by professional practice 
and regulation or by the law of confidence)? And what constitutes 'a professional legal adviser'? Are any 
particular qualifications, experience or recognition by a professional body or authorisation to practise 
required? Is remuneration relevant? 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 

©) No 

© Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Examples are extremely helpful. Would it be possible to supplement the guidance regularly with additional 
examples - perhaps suitably anonymised examples from the ICO's on-going case handling experience, 
cases and opinions and its developing thinking? FAQs (although also much less frequently and even 
obscure questions and never asked questions) could also help. As an example of a quick Q&A, in the 
discussion of the crime and taxation exemption (p.46) are controllers under any obligation to to let data 
subjects know that certain information (though not necessarily what information) has been withheld? If 
not, how can they challenge, and the ICO oversee, an incorrect decision? 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 

range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


No views except that many data controllers will seek to exploit this exemption 
beyond its limits and should be discouraged from doing so. 


Q5 


Q6 


Q7 


On a scale of 1-5 how useful is the draft guidance? 


3 ee: 
1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


C) ©) O ©) () 


Why have you given this score? 


It is good guidance and will provide much help. It is only in relation to those difficult, 
grey areas that it falls short. 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


O O o) 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


Is it worthwhile to consider the basis on which consent to being named (as a third 
party) in a SAR can be treated as 'real' consent. The seniority of the individual has 
some relevance here. 'Consent' from a junior member of staff may not be 'real' 
consent. Moreover, in considering whether it is reasonable to disclose without 
consent it may be relevant, in those cases where an organisation does not have a 
DPO, who is making the decision about reasonableness. A senior member of staff 
may effectively be deciding in relation to themselves whether or not the organisation 
should disclose personal data about them. Should there not be a presumption that 


the more senior the person the more appropriate disclosure would be? The more 
junior, the less appropriate? 


Are you answering as: 

O An individual acting in a private capacity (eg someone providing their views as a member of the public) 
© An individual acting in a professional capacity 

©) On behalf of an organisation 

() Other 

Please specify the name of your organisation: 


What sector are you from: 
data protection 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(C) ICO Facebook account 
©) ICO LinkedIn account 
( ) ICO website 
\_) ICO newsletter 
(_) ICO staff member 
(_) Colleague 
(_.) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
“` Other 
If other please specify: 


